alexplaskett/ntfs-wnf-1.c Secret

## ntfs-wnf-1.c
__int64 __fastcall NtfsQueryEaUserEaList(__int64 a1, __int64 eas_blocks_for_file, __int64 a3, __int64 out_buf, unsigned int out_buf_length, unsigned int *a6, char a7)
{

  unsigned int padding; // er15
  padding = 0;


   for ( i = a6; ; i = (unsigned int *)((char *)i + *i) )
    {
      if ( i == v11 )
      {
        v15 = occupied_length;
        out_buf_pos = (_DWORD *)(out_buf + padding + occupied_length);
        if ( (unsigned __int8)NtfsLocateEaByName(
                                ea_blocks_for_file,
                                *(unsigned int *)(a3 + 4),
                                &DestinationString,
                                &ea_block_pos) )
        {
          ea_block = (FILE_FULL_EA_INFORMATION *)(ea_blocks_for_file + ea_block_pos);
          ea_block_size = ea_block->EaNameLength + ea_block->EaValueLength + 9;           // Attacker controlled from Ea
          if ( ea_block_size <= out_buf_length - padding )                                // The check which can underflow
          {
            memmove(out_buf_pos, ea_block, ea_block_size);
            *out_buf_pos = 0;
            goto LABEL_8;
          }
        }

           *((_BYTE *)out_buf_pos + *((unsigned __int8 *)v11 + 4) + 8) = 0;
LABEL_8:
            v18 = ea_block_size + padding + v15;
            occupied_length = v18;
            if ( !a7 )
            {
              if ( v23 )
                *v23 = (_DWORD)out_buf_pos - (_DWORD)v23;
              if ( *v11 )
              {
                v23 = out_buf_pos;
                out_buf_length -= ea_block_size + padding;
                padding = ((ea_block_size + 3) & 0xFFFFFFFC) - ea_block_size;
                goto LABEL_24;
              }
            }
LABEL_12:
	__int64 __fastcall NtfsQueryEaUserEaList(__int64 a1, __int64 eas_blocks_for_file, __int64 a3, __int64 out_buf, unsigned int out_buf_length, unsigned int *a6, char a7)
	{

	unsigned int padding; // er15
	padding = 0;


	for ( i = a6; ; i = (unsigned int )((char )i + *i) )
	{
	if ( i == v11 )
	{
	v15 = occupied_length;
	out_buf_pos = (_DWORD *)(out_buf + padding + occupied_length);
	if ( (unsigned __int8)NtfsLocateEaByName(
	ea_blocks_for_file,
	(unsigned int )(a3 + 4),
	&DestinationString,
	&ea_block_pos) )
	{
	ea_block = (FILE_FULL_EA_INFORMATION *)(ea_blocks_for_file + ea_block_pos);
	ea_block_size = ea_block->EaNameLength + ea_block->EaValueLength + 9; // Attacker controlled from Ea
	if ( ea_block_size <= out_buf_length - padding ) // The check which can underflow
	{
	memmove(out_buf_pos, ea_block, ea_block_size);
	*out_buf_pos = 0;
	goto LABEL_8;
	}
	}

	((_BYTE )out_buf_pos + ((unsigned __int8 )v11 + 4) + 8) = 0;
	LABEL_8:
	v18 = ea_block_size + padding + v15;
	occupied_length = v18;
	if ( !a7 )
	{
	if ( v23 )
	*v23 = (_DWORD)out_buf_pos - (_DWORD)v23;
	if ( *v11 )
	{
	v23 = out_buf_pos;
	out_buf_length -= ea_block_size + padding;
	padding = ((ea_block_size + 3) & 0xFFFFFFFC) - ea_block_size;
	goto LABEL_24;
	}
	}
	LABEL_12: